There’s plenty of guides on this already, but I recently used Let’s Encrypt certbot client again manually (instead of through already automated systems) and figured I’d write up the commands for myself. Just in case.
The old git clone + letsencrypt-auto approach is deprecated now, so install certbot via snap instead (the method the EFF recommends).
$ sudo snap install --classic certbot
$ sudo ln -s /snap/bin/certbot /usr/local/bin/certbot
Now that the client is available on the system, you can request new certificates. If the DNS is already pointing to this server, it’s super easy with the webroot validation.
$ sudo certbot certonly --expand \
--email [email protected] --agree-tos \
--webroot -w /var/www/vhosts/yoursite.tld/htdocs/public/ \
-d yoursite.tld \
-d www.yoursite.tld
You can add multiple domains with the -d flag and point it to the right document root using the -w flag.
After that, you’ll find your certificates in
$ ls -alh /etc/letsencrypt/live/yoursite.tld/*
/etc/letsencrypt/live/yoursite.tld/cert.pem -> ../../archive/yoursite.tld/cert1.pem
/etc/letsencrypt/live/yoursite.tld/chain.pem -> ../../archive/yoursite.tld/chain1.pem
/etc/letsencrypt/live/yoursite.tld/fullchain.pem -> ../../archive/yoursite.tld/fullchain1.pem
/etc/letsencrypt/live/yoursite.tld/privkey.pem -> ../../archive/yoursite.tld/privkey1.pem
You can now use these certs in whichever webserver or application you like.